Org mode allows you to encrypt both individual items and entire files. I’ve just released support for encrypting individual entries using beorg, my iOS task manager which works with Org mode files, so thought it would be useful to show you how to configure encryption for Emacs and Org mode.
In this post I’m going to show you how to:
GPG Suite is the quickest way to get GnuPG onto macOS. GnuPG is needed by EasyPG which is how Emacs supports OpenPGP. GPG Suite comes with a 30 day trial of a plugin for macOS mail - however the tools that we need aren’t subject to a trial. In fact even the paid GPG Mail plugin is licensed under the GPL v3 so you could build it yourself if you wanted to from source.
So, head on over to gpgtools.org and click the Download button.
Once downloaded double-click the downloaded file (in my case it was called
GPG_Suite-2019.2.dmg) and then run the installer.
Once installed you can start configuring Emacs.
For our purposes the term symmetric key means you’re using the same password for both encryption and decryption. This is the simplest way of getting started and the limit to what we are going to cover.
When Emacs starts one of the files it looks for is
~ just means your home directory). It is here that we are going to configure Emacs and Org mode so we can encrypt some of our Org mode items.
Using Emacs (or another editor if you want to be able to restart Emacs and make changes to init.el quickly if there were any errors) start editing
~/.emacs.d/init.el. If the file doesn’t exist create it (creating first the directory
.emacs.d in your home folder.)
A file or folder whose name starts with a
.is hidden by the macOS Finder.
Add the following lines to init.el:
Lines 1 - 3 enable some needed libraries. Line 4 makes sure that when a file is saved any entries that were decrypted are encrypted before the file hits your SSD or harddisk. Line 5 ensures things don’t get confused if an encrypted item has children (you probably don’t want to encrypt each child individually and then encrypt the parent). Finally on line 6 we say that we are just going to use a password to encrypt entries rather than a public/private key pair.
If you were using Emacs to edit
init.el then save the file and restart Emacs. If using another editor then just start Emacs.
In Emacs create a new .org file and add an item, for example
* Item with information I want to keep secret The server password is B7!3a9!ZX
Put the cursor either on the headline (title) or anywhere in the notes, then do Option + X to bring up the Emacs minibuffer and type the command:
You’ll be asked to enter a passphrase. This is the password you’ll use to encrypt the entry.
Once you’ve confirmed the password the item’s notes will be replaced with a PGP message representing the encrypted text.
To get your notes back you’ll need to decrypt them. Put the cursor anywhere in the item, do Option + X again and this time enter the command:
At this point you may be given a warning about auto-save-mode causing leakage - in which case you’ll want to answer y to disable it for the buffer.
If you didn’t untick the option to save the password to the Keychain you’ll be presented with the decrypted notes.
If you are going to be using encryption regularly with Org mode you might want to set some keyboard shortcuts for encryption and decryption, however that is beyond what this post is going to cover. You may also want to take a look at encrypting entire files - and using asymmetric encryption techniques.
Don’t forget the password you use to encrypt entries as OpenPGP is quite secure and you’ll find it next to impossible to recover your data.